-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insufficient scope error caused by undefined field in jwtAuthz #47
Comments
I'm getting the same error, "Insufficient Scope" as mentioned above As suggested above, doing |
As you commented, But I have to change my Auth0 API settings, on the API dashboard then 'RBAC Settings' I actived 'Enable RBAC' and 'Add Permissions in the Access Token'. This is my final config. |
I've noticed this error as well. However in my case, I didn't use any additional properties in the JWT for RBAC or other stuff, I just used the standard Didn't get it working with this package and therefore looked at https://github.com/benrei/express-jwt-scope Used this versions: |
Same issue here on versions "express": "^4.18.1", Solution from afilazzola works. The problem is caused by the express-jwt v6 upgrade where the decoded JWT payload is now available as req.auth rather than req.user. See migration points (Migration from v6) in the express-jwt description. https://github.com/auth0/express-jwt |
Same. Make sure you use |
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Description
The field selection from
jwtAuthz
function appear to be incorrect. I was running into the exact same issue as reported here. Except specifying acustomScopeKey
did not solve the problem. Looking at the output of the request and the function itself, there is no field on the JWT token calleduser
but that is what the function is requesting. Revising theuserKey
field toauth
corrects the behaviour.Reproduction
The middleware I was using:
app.get('/userbased', checkJwt, jwtAuthz(['read:ssim']), (req, res) => { console.log('Request', req['auth']); res.send('Role based user authentication is working'); });
The edit I made to the
jwtAuthz
functionlet userKey = 'auth';
Environment
The text was updated successfully, but these errors were encountered: